Creating Your Disaster Recovery Action Plan | The State of Security
Perhaps Disaster Recovery (DR) isn’t one of the hot terms like the Internet of Things (IoT) or Hybrid Cloud, but I would argue that re-examining your DR plan now might be one of the most important IT management initiatives on which you can focus your energy.
Think about it. How much has the world changed in the past two years? Most people used to think about disasters as typical IT incidents such as system failure, ransomware incidents, or power outages. While these are still critical disasters to plan around, the pandemic brought a shift to increased decentralization of technology and people, changing the way we work, the security landscape, and how we define and respond to a disaster. Now our disaster recovery plans need to be broader and more comprehensive than ever before.
Redefining a Disaster
DR planning often fails when a cookie cutter approach is taken. There are so many resources out there to help people create their DR plans, but oftentimes, these planning tools are not applied in a way that makes sense for the business. In other words, the people creating these plans tend to over-rely on templates and advice without addressing what could actually cause consequences. Before rewriting any policy or buying any new products, take a step back and think about the way you work. What has changed? What are the areas of your business that, if unavailable, would be painful? What might be considered a disaster for you that might be seen as uneventful by the average person and vice versa?
The best DR plans are created by focusing on the biggest business risks and investing the most time, energy, and resources on those first. Of course, you should address disasters such as facility failures, major system outages (both to technology you manage and Cloud/SaaS products you do not directly control), and security incidents. However, you might also consider other things such as major staff illnesses, weather, geographically specific concerns (i.e. hurricanes in Florida or earthquakes in California), legal or compliance violations that could put the operation at risk, as well as bomb threats and other risks of violence or harm.
It’s impossible to outline and prepare for every possible contingency, but you need to start with the ones that are both plausible and impactful.
How Comfortable Are You Reacting to a Disaster?
Go back and look at whatever DR plan you have right now and think about the disasters you just defined. Does your current plan really address those concerns?
Before prescribing solutions for planning around these disasters, go back and figure out your risk and recovery tolerance. If a particular disaster occurred, what would be a reasonably desirable outcome for recovery? You want to keep it reasonable because disasters are inherently destructive, so the more seamless and pain-free you want your recovery to be, expect to see that reflected in the amount of investment required to achieve that outcome. For technology recovery, you’ll want to define your Recovery Time (RTO) and Recovery Point (RPO) objectives as well as the budget you have to put towards it. But you can apply this to non-technology recovery, too, like having personnel trained to have backup roles during specific incidents.
So, going back to the original question, after everything that has happened in the past couple of years, do you still think your DR plan addresses the disasters you could face in the way you hope? Management review, tabletop exercises, and other drills used for testing the effectiveness of your current DR plan will clarify the situation. Chances are that you’ll need to make a change at least in some way. That’s OK. DR plans are always a work in progress.
Implementing an Action Plan to Improve Your Disaster Recovery
Now that you’ve assessed your current DR plans and how effective they are, you should have a good sense of where your plan is lacking. Perhaps the laundry list is a little overwhelming. This can be the case when your organization is growing or changing and you are still early on in the planning process. Rather than focus on the negative, the only solution is to move forward and make improvements.
It is unrealistic to try to address all the shortcomings of your DR plan within, say, a month—especially if the issues with the plan run across different aspects of the organization. Rank your DR plan challenges based on impact and address-ability. Some items may be fixable simply by updating your company policies or processes, which may just require some time put aside or third-party assistance. However, if you must build out alternate recovery sites, solve challenges with new remote connections, or implement other changes to the plan that require more serious effort, you’ll have to set some realistic expectations and plan for the longer term. Your goals should be achievable; however, expecting major projects to run completely smoothly without challenges is setting your team up for failure.
When organizations try to fix shortcomings with a compliance plan, they oftentimes use a “Plan of Action & Milestones” or POAM. Applying a POAM to developing your strategy might be a good approach if your DR Plan requires multi-layered and longer-term changes. Most people just need something to organize their thoughts, hold their teams accountable, and work towards a shared goal.
DR planning should really be a constant process. First, create a DR plan that suits your current needs. Then re-evaluate the suitability of your DR plan as things inevitably change. Identify the areas where the plan is lacking and come up with reasonable ways to address them (or at least be aware of the issues). There is never a perfect DR plan, so you will always have to make tweaks and improvements. The important thing to remember is that organizations that put care and attention into their DR plan always end up having better outcomes than those who purely react to the disaster they are bound to experience.
About the Author: Ben Schmerler is the Director of Strategic Operations at DP Solutions, a leading managed IT services provider serving the technology needs of businesses throughout the Mid-Atlantic. Ben works with organizations to develop a consistent strategy for cyber security, policy & compliance management, system design, integration planning, and other technology concerns. He has been a guest speaker, panelist, and presenter at several industry events, and he has made several TV and radio news appearances educating viewers about cyber-security best practices.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.